Four Action Items to Secure your Virtual Workforce

The global pivot to a virtual workforce happened literally overnight. From March to April, the percentage of workers working from home jumped from 15% to 50% according to a survey by the National Bureau of Economic Research. For a majority of businesses and governments, protecting their workforce from COVID was their first priority. To keep organizations functioning and employees working from the safety of their homes, IT departments scrambled to ensure their virtual workforce had adequate devices and their networks had sufficient capacity and configurations in place.

Nevertheless, what organizations cannot afford to overlook are the increased security risks that come with a virtual workforce and the urgent actions needed to address those risks. Perusing Verizon’s 2020 Data Breach Investigations Report (“Verizon DBIR”) sheds light on the nature of the threats we’re facing in 2020 and helps direct our limited resources towards the biggest threats. Here are four actions that can fortify your security posture.

The first step is to identify risks unique to your organization. Not only are you exposed to computer security risks, but also sensitive data breaches. For example, in a healthcare setting, your at-home users may have access to protected patient information either on screen, printed, or via phone conversations (all are protected by HIPAA regulations).

Action 1: Review your prior security risk assessment results and conduct an interim security risk analysis focused on the changes you made as you transitioned to a virtual workforce. The output of this interim assessment is a list of risks, which need to be scored based on impact and likelihood to prioritize action.

Near or at the top of your list should be user training. Although external actors were perpetrators in 70% of breaches, 30% involved internal users who were acting in ignorance, error, or malice (Verizon DBIR). Overall, 40% of breaches were the result of successful phishing or credential stealing attacks (Verizon DBIR). The good news is that we now work in an era of increased security awareness and vendors abound that offer basic security training as well as phishing awareness training and testing (see Gartner).

Action 2: Sign up with a security training company and start monthly training campaigns and expose your employees to simulated phishing campaigns to test your workforce’s resilience.

Modern IT infrastructure like VPNs and cloud service providers like Microsoft 365 can be configured to include best-practice security controls; however, many are not configured to leverage those security controls. Some services even include security scoring (like a video game) as a means to encourage security goal-setting (see Microsoft 365 Security Score). Simple actions that can significantly enhance your security posture include enabling technical controls like multi-factor authentication and enhanced logging, and establishing administrative controls like regular review of user access failures and user account lists.

Simple actions that can significantly enhance your security posture include enabling technical controls like multi-factor authentication and enhanced logging, and establishing administrative controls like regular review of user access failures and user account lists.

Action 3: Enable multi-factor authentication on your VPN and cloud service providers that store the sensitive data your organization is obligated to protect.

Unprotected user devices accessing your network or cloud-based systems containing sensitive data present an opportunity for malicious actors to gain unauthorized access. Maintaining a monthly patching process, deploying end point protection software and enabling encryption on user devices helps secure those devices.

Action 4: Patch all user devices and servers monthly.

These four action items do more than just plug security holes in your organization. These incremental enhancements collectively strengthen your organization’s security posture. They reinforce the top down and bottom up culture of security that is so important to securing the enterprise. Enhancing your cybersecurity posture is a never-ending journey; don’t forget to celebrate the milestones along the way, even if 50% of us are working from home.

by Malcolm Hooper, Vice President, Operations